From e0354eda8f1dba999c452caf99c40dcb6f7af33e Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 08:57:35 +0100 Subject: working on stunnel for bigcouch clustering --- puppet/modules/site_couchdb/manifests/stunnel.pp | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 1afe25a4..2133d6da 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -39,5 +39,17 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + stunnel::service { 'bigcouch': + accept => '6984', + connect => '127.0.0.1:5984', + client => false, + cafile => $ca_path, + key => $key_path, + cert => $cert_path, + verify => '2', + pid => '/var/run/stunnel4/couchdb.pid', + rndfile => '/var/lib/stunnel4/.rnd', + debuglevel => '4' + } } -- cgit v1.2.3 From ec2727a1cae91c34233c831ae31277690a8ef3dc Mon Sep 17 00:00:00 2001 From: varac Date: Tue, 19 Mar 2013 15:29:48 +0100 Subject: added bigcouch.conf as incoming stunnel config for bigcouch clustering --- puppet/modules/site_couchdb/manifests/stunnel.pp | 28 +++++++++--------------- 1 file changed, 10 insertions(+), 18 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2133d6da..d16e09b5 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -9,24 +9,14 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" - x509::key { - $cert_name: - content => $key, - notify => Service['stunnel']; - } - - x509::cert { - $cert_name: - content => $cert, - notify => Service['stunnel']; - } - - x509::ca { - $ca_name: - content => $ca, - notify => Service['stunnel']; + class { 'site_stunnel::setup': + cert_name => $cert_name, + key => $key, + cert => $cert, + ca => $ca } + # webapp access stunnel::service { 'couchdb': accept => '6984', connect => '127.0.0.1:5984', @@ -39,9 +29,11 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + + # clustering between bigcouch nodes stunnel::service { 'bigcouch': - accept => '6984', - connect => '127.0.0.1:5984', + accept => '5369', + connect => '127.0.0.1:4369', client => false, cafile => $ca_path, key => $key_path, -- cgit v1.2.3 From d9c9cbb7ae5fde7767ac6b2cbc25936a0045104d Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 19:06:45 +0100 Subject: addded client side of bigcouch cluster protocol stunnel config --- puppet/modules/site_couchdb/manifests/stunnel.pp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index d16e09b5..2d5cbaa1 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -31,6 +31,8 @@ class site_couchdb::stunnel ($key, $cert, $ca) { } # clustering between bigcouch nodes + + # server stunnel::service { 'bigcouch': accept => '5369', connect => '127.0.0.1:4369', @@ -43,5 +45,19 @@ class site_couchdb::stunnel ($key, $cert, $ca) { rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } + + # clients + $couchdb_stunnel_client_defaults = { + 'connect_port' => '5369', + 'client' => true, + 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", + 'key' => "${x509::variables::keys}/${cert_name}.key", + 'cert' => "${x509::variables::certs}/${cert_name}.crt", + 'verify' => '2', + 'rndfile' => '/var/lib/stunnel4/.rnd', + 'debuglevel' => '4' + } + create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + } -- cgit v1.2.3 From 7a08ff22b0317e77895e4ff52e6f56db70afb8df Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 20:06:47 +0100 Subject: increase stunnel verbosity until everything is running smooth --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2d5cbaa1..44ddae0b 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -43,7 +43,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchdb.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '4' + debuglevel => '7' } # clients -- cgit v1.2.3 From 34a44db0de9a7d79ac68e93e79f29dcc32a30c76 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:07:25 +0100 Subject: couchdb hosts include site_shorewall::couchdb::bigcouch --- puppet/modules/site_couchdb/manifests/init.pp | 1 + 1 file changed, 1 insertion(+) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/init.pp b/puppet/modules/site_couchdb/manifests/init.pp index d317de65..e0f379cd 100644 --- a/puppet/modules/site_couchdb/manifests/init.pp +++ b/puppet/modules/site_couchdb/manifests/init.pp @@ -67,4 +67,5 @@ class site_couchdb ( $bigcouch = false ) { } include site_shorewall::couchdb + include site_shorewall::couchdb::bigcouch } -- cgit v1.2.3 From 6e223037a4ca36273984c0ab0f2eb9b81f5f10da Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:11:40 +0100 Subject: decrease stunnel debug level --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 44ddae0b..2d5cbaa1 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -43,7 +43,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { verify => '2', pid => '/var/run/stunnel4/couchdb.pid', rndfile => '/var/lib/stunnel4/.rnd', - debuglevel => '7' + debuglevel => '4' } # clients -- cgit v1.2.3 From e9b00c6efb65faa4c0dfa955527fafc2b13889d4 Mon Sep 17 00:00:00 2001 From: varac Date: Wed, 20 Mar 2013 22:31:51 +0100 Subject: fix bigcouch stunnel pid name --- puppet/modules/site_couchdb/manifests/stunnel.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 2d5cbaa1..f5001051 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -25,7 +25,7 @@ class site_couchdb::stunnel ($key, $cert, $ca) { key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouch.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } -- cgit v1.2.3 From 50cbfca55b99c0e284aff23c8f779499f4af1f4a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Tue, 26 Mar 2013 13:52:22 -0400 Subject: remove duplicate 'include site_stunnel' this already exists in class site_stunnel::setup which is instantiated in this class --- puppet/modules/site_couchdb/manifests/stunnel.pp | 1 - 1 file changed, 1 deletion(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index f5001051..9e1bad49 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,7 +1,6 @@ class site_couchdb::stunnel ($key, $cert, $ca) { include x509::variables - include site_stunnel $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' -- cgit v1.2.3 From dd459efb1063de6c11f9f11583290c6a0891436a Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:22:52 -0400 Subject: replace long-form variables with shorter ones remove unnecessary bigcouch_replication_client_default values (verify, rndfile, debuglevel) --- puppet/modules/site_couchdb/manifests/stunnel.pp | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 9e1bad49..a49b51b9 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -49,12 +49,9 @@ class site_couchdb::stunnel ($key, $cert, $ca) { $couchdb_stunnel_client_defaults = { 'connect_port' => '5369', 'client' => true, - 'cafile' => "${x509::variables::local_CAs}/${ca_name}.crt", - 'key' => "${x509::variables::keys}/${cert_name}.key", - 'cert' => "${x509::variables::certs}/${cert_name}.crt", - 'verify' => '2', - 'rndfile' => '/var/lib/stunnel4/.rnd', - 'debuglevel' => '4' + 'cafile' => $ca_path, + 'key' => $key_path, + 'cert' => $cert_path, } create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) -- cgit v1.2.3 From baf3ed5b6db4e8af052564864d8c3e426cf5d9d0 Mon Sep 17 00:00:00 2001 From: Micah Anderson Date: Sun, 31 Mar 2013 12:32:42 -0400 Subject: switch to using stunnel_client and stunnel_server leap_cli macros add bigcouch_replication_clients to couchdb.json change site_couchdb/manifests/stunnel to use stunnel_client and stunnel_server generated hiera values to setup the stunnels for the couch_server connections, and the bigcouch_replication_server and bigcouch_replication_clients tunnels instead of using hard-coded ips and ports. also change the pid names to be more consistent with what the tunnels are and are named --- puppet/modules/site_couchdb/manifests/stunnel.pp | 41 +++++++++++++++--------- 1 file changed, 26 insertions(+), 15 deletions(-) (limited to 'puppet/modules/site_couchdb') diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index a49b51b9..1eb79293 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -1,13 +1,26 @@ class site_couchdb::stunnel ($key, $cert, $ca) { - include x509::variables + $stunnel = hiera('stunnel') + + $couch_server = $stunnel['couch_server'] + $couch_server_accept = $couch_server['accept'] + $couch_server_connect = $couch_server['connect'] + + $bigcouch_replication_server = $stunnel['bigcouch_replication_server'] + $bigcouch_replication_server_accept = $bigcouch_replication_server['accept'] + $bigcouch_replication_server_connect = $bigcouch_replication_server['connect'] + $bigcouch_replication_clients = $stunnel['bigcouch_replication_clients'] + + include x509::variables $cert_name = 'leap_couchdb' $ca_name = 'leap_ca' $ca_path = "${x509::variables::local_CAs}/${ca_name}.crt" $cert_path = "${x509::variables::certs}/${cert_name}.crt" $key_path = "${x509::variables::keys}/${cert_name}.key" + # basic setup: ensure cert, key, ca files are in place, and some generic + # stunnel things are done class { 'site_stunnel::setup': cert_name => $cert_name, key => $key, @@ -15,45 +28,43 @@ class site_couchdb::stunnel ($key, $cert, $ca) { ca => $ca } - # webapp access - stunnel::service { 'couchdb': - accept => '6984', - connect => '127.0.0.1:5984', + # setup a stunnel server for the webapp to connect to couchdb + stunnel::service { 'couch_server': + accept => $couch_server_accept, + connect => $couch_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/bigcouch.pid', + pid => '/var/run/stunnel4/couchserver.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } - # clustering between bigcouch nodes + # setup stunnels for bigcouch clustering between each bigcouchdb node # server - stunnel::service { 'bigcouch': - accept => '5369', - connect => '127.0.0.1:4369', + stunnel::service { 'bigcouch_replication_server': + accept => $bigcouch_replication_server_accept, + connect => $bigcouch_replication_server_connect, client => false, cafile => $ca_path, key => $key_path, cert => $cert_path, verify => '2', - pid => '/var/run/stunnel4/couchdb.pid', + pid => '/var/run/stunnel4/bigcouchreplication_server.pid', rndfile => '/var/lib/stunnel4/.rnd', debuglevel => '4' } # clients - $couchdb_stunnel_client_defaults = { - 'connect_port' => '5369', + $bigcouch_replication_client_defaults = { 'client' => true, 'cafile' => $ca_path, 'key' => $key_path, 'cert' => $cert_path, } - create_resources(site_stunnel::clients, hiera('stunnel'), $couchdb_stunnel_client_defaults) + create_resources(site_stunnel::clients, $bigcouch_replication_clients, $bigcouch_replication_client_defaults) } - -- cgit v1.2.3